[wp-hackers] Re: [wp-trac] Re: [WordPress Trac] #3592: Links with
double-quotes fail to validate
Mark Jaquith
mark.wordpress at txfx.net
Wed Jan 17 19:14:51 GMT 2007
On Jan 17, 2007, at 9:38 AM, WordPress Trac wrote:
> there still exists a XSS vulnerability due to a "author" being
> able to add
> Javascript to the links via events (such as onClick, onMouseOver,
> etc)
Authors without the unfiltered_html capability have their posts
filtered by KSES, eliminating the XSS risk. This is just an issue of
XHTML validation.
--
Mark Jaquith
http://markjaquith.com/
Covered Web Services
http://covered.be/
More information about the wp-hackers
mailing list